Posted
by
samzenpus
on Friday October 14, 2011 @12:01AM
from the nothing-to-see-here-citizen dept.

wiredmikey writes "Air Force officials have revealed more details about a malware infection that impacted systems used to manage a fleet of drones at the Creech Air Force Base in Nevada as reported last week. The 24th Air Force first detected the malware – which they characterized as a 'credential stealer' as opposed to a keylogger as originally reported — and notified Creech Air Force Base officials Sept. 15 that malware was found on portable hard drives approved for transferring information between systems. The infected computers were part of the ground control system that supports remotely-piloted aircraft (RPA) operations. The malware is not designed to transmit data or video or corrupt any files, programs or data, according to the Air Force. The ground system is separate from the flight control system used by RPA pilots to fly the aircrafts."

At first I thought you were referring to the 80's movie Making The Grade"Exchange student from Lower Slobivia," but then stumbled upon the fact that Slobovia is used as a reference to any "non specific, far-away country." Wikipedia on Slobovia [wikipedia.org]

Yeah, this makes much more sense. Didn't stop everyone from reporting that the drone fleet was infected with viruses when this first broke. I could be wrong but I'm fairly sure the Predator isn't running Windows 98 (or god help us all). I think those of us with some sense were wondering when the real story was going to break.

The drone itself may not be running a standard OS, but it's entirely possible that part of the flight control system might. More critical systems have been built atop Windows platforms before, and the DoD doesn't have a particularly good record with computer-related sensibilities, see: How all.mil domains are digitally signed by a CA that no web browser (including those on DoD computers) recognizes as legitimate.

My favorite quote from the article [securityweek.com]: “We continue to strengthen our cyber defenses, using the latest anti-virus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions,” Cook said in a statement. “Continued education and training of all users will also help reduce the threat of malware to Department of Defense systems.”
Why do I get the feeling that Norton/McAffee are offering their 'latest anti-virus software" to "strengthen our

99% of the usage is broken and misunderstood. I'd say that only 1% of the populace actually understand security, and a diminished number actually take steps to placate the problem. When I hear that someone thinks that sticky plaster Anti Virus - will be like a hand barrier cream I cringe. This is the nation state that had a hand in Stuxnet.

Apparently, the air force has deduced that they understand this malware, and its just a password stealer for online games. So that's alright then./SARCASM/ off.

Sounds an awful lot like media damage control to me. Downplaying the scale of the failure and misinforming the public once the full scale has became known and the utter mind-boggling disaster it was has became apparent. So far it was "We've got an embarassing problems", and now it became "If the press learns of the full scale, heads will fall like rain."

The implication is apparently that since it was only the ground control system, not the flight control system, there was no danger of the aircraft control being compromised. This is false. The ground control system is in fact in complete control of the aircraft, if it so chooses. The bottom line is, somebody should be put in the brig for allow Windows anywhere near a UAV.

Servers/Drones/etc like these should NEVER allow any account permission to run non-whitelisted applications. The fact is, barely any code should be allowed to execute, and itâ(TM)s completely inexcusable for them to not be using the whitelisting rules that are part of Windows/Active Directory. In an environment like this where there are ridged policies for doing practically anything related to production software, preventing rogue code execution should be mind boggling easy for one moderately skilled administrator.

If you RTFA, you would have determined that the flight control system is not infected, and the the systems that are in question are ancillary information systems. Think of a monitor with google maps...

The reason they use removable HDD's is probably so they can model the necessary mission data offsite, and then "replay" it at mission time.

I remember reading somewhere that the latency is actually huge, something like 15-30 seconds (they are controlled from Nevada, after all). The AUVs do most of the flying themselves, and the people in Nevada tell them "go here" "go there" and "fire missile at that target." Then for takeoff and landing control is passed to someone onsite from the Middle East who has better latency.

Or just don't let Windows anywhere near deadly weapons, how about. Never has been secure, never will be, not in any real, shipping form, except according to cynical apologists with their hands in the cookie jar.

They're still using awkward wording. Neither the computer on the plane nor the computer the pilot is sitting in front of runs Windows. In the same trailer, there are also several machines used for data analysis that DO run Windows, and are the only place this malware (virus? worm? trojan? I never could keep them straight) could possible have taken hold.
Also, the "credentials" in question are video game registration keys. Good luck finding many of those on these workstations!

If the computers are really not connected to the Internet as I had read from the earlier articles, the virus can't send any information it captures nor can it receive commands. At most it could format their hard drive.

Have you forgotten about Stuxnet?That virus was designed to sabotage industrial equipment that was not connected to internet. It was designed to propagate though removable drives and local networks. And Stuxnet did reach its target and sabotaged it successfully without even causing suspicion.

Imagine that the Chinese/Russians modify Stuxnet (I've read it is quite modular) to infiltrate the UAV control. Imagine that they add module that activates only when the drone enters GPS coordinates of China/Russia. Thi

Why don't they allow only signed software that is on a whitelist to run on their computers?

Sure, whitelists are highly undesirable for ordinary consumers (to say the least..), but for the military or other domains with high security demands they seem to make sense to me. Shouldn't their software be audited and signed first anyway? Shouldn't they run a custom BIOS and an operating system that can check signatures before running code? Are there technical reasons against this?

you assume the hardware / OS is sufficient for the function you described. How many hacked up versions of Windows CE do you know that can be properly software secured? I still remember bypassing whitelists by renaming Netscape to Notepad.:)

And they should use a "default deny security enforcement policy" (e.g. Bit9 software). If the application's signature is not on the permitted list it should be prevented from running. Period.

This however does not fix some underlying problems with remote distributions. Datasets have become too large to be easily handled on standard CD/DvD's, so many organizations have resorted to using hard drives to pass information. I still see potential problems. When mounting an 'untrusted' drive many things happen, n

This is a farce. Neither windows, nor linux or OS/X or commodity PC hardware should be let within 100 miles of these systems. Wtf are the military playing at? Is their trillion dollar budget not enough to afford some proper kit and in house software FFS?

BINGO! Policies that carry significant political political weight, especially when they become fashionable routes to swift approval, are especially prone to misunderstanding, misapplication, and imbalance between indented and unintended consequences. COTS, when misused as a panacea to achieve affordability, tends to not only be less affordable in the long run, but often leads to less effective solutions. The problem is that panaceas rarely are. Policies mindlessly pursued lead to poor results decoupled from

The datalogger dumps the information back into someplace like say the portable hard drive that brought it into the secured area to begin with. It sets up shop and makes a gazillion copies of the data it was designed to ferret out but it does nothing but log the data.

Then the portable hard drive gets walked out of the building and used on other hosts, at least one of which is infected with a transmission vector which picks up the payload and for

But if the offending piece of malware was on an NTFS file system, and accessed the ADS, hundreds of megabytes worth of lifted data could be stored, and nobody would be the wiser unless they checked to see what kind of data was hidden if resource forking was implemented. Pray this isn't the case, because if it is, Victoria won't have too many secrets left.